top of page

Metafin Cleantech Finance Private Limited

Information Security Policy

     1.         Purpose

The purpose of this Information Security Policy (“Policy”) is to safeguard information belonging to Metafin Cleantech Finance Private Limited (“Company”) and its stakeholders (third parties, clients or customers and the general public), within a secure environment.

This Policy informs the Company’s employees, contractors, and other individuals that are entrusted with any information related to the business, of the principles governing the holding, use and disposal of information.

 

Key Objectives

●      Information will be protected against unauthorised access or misuse.

●      Confidentiality of information will be secured.

●      Integrity of information will be maintained.

●      Availability of information/information systems is maintained for service delivery.

●      Business continuity planning processes will be maintained.

●      Regulatory, contractual and legal requirements will be complied with.

●      Physical, logical, environmental and communications security will be maintained.

●      Infringement of this Policy may result in disciplinary action or criminal prosecution.

●      When information is no longer of use, it is disposed of in a suitable  manner. 

●      All information security incidents will be reported to the information security manager (a leadership role that may be titled and designated based on the needs of the Company) and investigated through the appropriate management channel.

Information relates to:

●      Electronic information systems (software, computers, and peripherals) owned by the Company whether deployed or accessed on or off workplace.

●      The Company’s computer network is used either directly or indirectly.

●      Hardware, software and data owned by the Company.

●      Paper-based materials.

●      Electronic recording devices (video, audio, CCTV systems).

●      Information shared through oral communication.

 

     2.         The Policy

The Company requires all users to exercise a duty of care in relation to the operation and use of its information systems, irrespective of form or media.

                   2.1.         Authorised users of information systems

With the exception of information published for public consumption, all users  of the Company’s information systems must be formally authorised by  appointment as an employee, contractor, or by other processes of non-disclosure specifically authorised by the person authorised to manage  information security. Authorised users will be in possession of a unique user  identity. Any password associated with a user identity must not be disclosed to any other person.

Authorised users will pay due care and attention to protect Company information in their personal possession. Confidential, personal or private information must not be copied or transported without consideration of:

●      permission of the information owner

●      the risks associated with loss or falling into the wrong hands

●      how the information will be secured during transport and at its destination.

                   2.2.         Acceptable use of information systems

Use of the Company’s information systems by authorised users will be  lawful, honest and decent and shall have regard to the rights and sensitivities of other people. The detail of acceptable use in specific areas may be found in the list of subsidiary policies detailed in the Appendix.

                   2.3.         Information System Owners

Authorised officers, who are responsible for information systems are required to ensure that:

1.     Systems are adequately protected from unauthorised access.

2.     Systems are secured against theft and damage to a level that is cost-effective.

3.     Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity).

4.     Electronic data can be recovered in the event of the loss of the primary source. i.e., failure or loss of a computer system. It is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (Disaster Recovery).

5.     Data is maintained with a high degree of accuracy.

6.     Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.

7.     Any electronic access logs are only retained for a justifiable period to  ensure compliance with the data protection, investigatory powers and other relevant acts concerning information and privacy.

8.     Any third parties entrusted with Company data understand their responsibilities with respect to maintaining its security.

                   2.4.         Personal Information

Authorised users of information systems are not given rights of privacy in relation to their use of Company information systems. Duly authorised  officers of the Company may access or monitor personal data contained in  any Company information system (mailboxes, web access logs, file store etc).

                   2.5.         Remedies

Individuals in breach of this policy are subject to disciplinary procedures (employee, contractor or third party) at the instigation of the officer with responsibility for the relevant information system, including referral to the Police where appropriate.

The Company will take legal action to ensure that its information systems are not used by unauthorised persons.

     3.         Ownership                                                                                                                               

Chief Risk Officer (CRO) has direct responsibility for maintaining this Policy and providing guidance and advice on its implementation. Information system owners are responsible for the implementation of this Policy within their area, and to ensure adherence.

     4.         Policy Review and Updates

 

This policy was approved by the Board on July 3rd 2019 and comes into effect on July 4th 2019. The implementation of this policy shall be monitored and reviewed periodically by the Board.

bottom of page